Nothing Special   »   [go: up one dir, main page]

US11106458B2 - System and method for distributed ledger-based software supply chain management - Google Patents

System and method for distributed ledger-based software supply chain management Download PDF

Info

Publication number
US11106458B2
US11106458B2 US16/513,114 US201916513114A US11106458B2 US 11106458 B2 US11106458 B2 US 11106458B2 US 201916513114 A US201916513114 A US 201916513114A US 11106458 B2 US11106458 B2 US 11106458B2
Authority
US
United States
Prior art keywords
metadata
artifact
software
record
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US16/513,114
Other versions
US20200026510A1 (en
Inventor
Duncan ADAMS
Alex HAYZELDEN
Vaidyalingam Ramalingam
Trevor Collins
Andrew J. MULLER
Stephen FLAHERTY
Tanmay MADAN
Robert Falconer KEITH
Ashish Tiwari
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
JPMorgan Chase Bank NA
Original Assignee
JPMorgan Chase Bank NA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by JPMorgan Chase Bank NA filed Critical JPMorgan Chase Bank NA
Priority to US16/513,114 priority Critical patent/US11106458B2/en
Publication of US20200026510A1 publication Critical patent/US20200026510A1/en
Assigned to JPMORGAN CHASE BANK, N.A. reassignment JPMORGAN CHASE BANK, N.A. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TIWARI, ASHISH, KEITH, Robert Falconer
Application granted granted Critical
Publication of US11106458B2 publication Critical patent/US11106458B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3692Test management for test results analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • G06F21/645Protecting data integrity, e.g. using checksums, certificates or signatures using a third party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority

Definitions

  • the present disclosure generally relates to systems and methods for distributed ledger-based software supply chain management.
  • a method for distributed ledger-based software supply chain management may include: (1) receiving, from a software tool, a metadata artifact for a software development lifecycle event; (2) writing the metadata artifact to a metadata store; and (3) updating a present state database with values for metadata keys referencing the metadata artifact in the metadata store.
  • the software development lifecycle event may include one or more of creating a requirement or a defect record in a planning system, committing a line of code in a source code management tool, a software build, completion of a test or scan, a deployment to an end system, and a process starting on a server.
  • the metadata artifact may include at least one of an artifact name, an organization ID, a creation time, an artifact type, an artifact data, an artifact hash, a reference of hash, and a reference ID of the software tool.
  • the metadata artifact may refer to the software development lifecycle event.
  • the software tool may be part of a software lifecycle.
  • the metadata artifact may be encrypted, and the method may also include decrypting the metadata artifact.
  • the metadata artifact may be received over a message bus.
  • the metadata store may maintain an immutable record of the metadata artifact.
  • the metadata store may include a blockchain-based distributed ledger, a hashgraph, a stream processing service, a noSQL database, a conventional relational database, etc.
  • the present state database may include a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record.
  • a method for distributed ledger-based software supply chain management may include: (1) receiving a file of interest; (2) generating a hash of the file of interest, wherein the hash uniquely identifies the file of interest; (3) searching a present state database with the hash; (4) receiving a record from the present state database that matches the hash; (5) retrieving a block from a metadata store referenced by the record; and (6) retrieving a file archive associated with the record.
  • the metadata store may maintain an immutable record of the metadata artifact.
  • the metadata store may include a blockchain-based distributed ledger, a hashgraph, a stream processing service, a noSQL database, a conventional relational database, etc.
  • the present state database may include a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record.
  • the method may further include providing the file archive to a downstream system.
  • the file archive may identify a source of the file of interest, may include source code for the file of interest, etc.
  • a system for distributed ledger-based software supply chain management may include a plurality of software development tools; a controller; a metadata store, wherein the metadata store maintains an immutable record of a plurality of metadata artifacts; and a present state database comprising a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record.
  • the controller may receive a metadata artifact for a software development lifecycle event from one of the software development tools; may write the metadata artifact to the metadata store; and may update the present state database with values for metadata keys referencing the metadata artifact in the metadata store.
  • the controller may further receive a file of interest; may generate a hash of the file of interest, wherein the hash uniquely identifies the file of interest; may search the present state database with the hash; may retrieve a record from the present state database that matches the hash; may retrieve a block from a metadata store referenced by the record; and may retrieve a file archive associated with the record.
  • FIG. 1 depicts a system for distributed ledger-based software supply chain management according to one embodiment
  • FIG. 2 depicts a method for distributed ledger-based software supply chain management according to one embodiment
  • FIG. 3 depicts a method for distributed ledger-based software supply chain management according to one embodiment.
  • Embodiments disclosed herein provide traceability throughout the software lifecycle, for example, from software development to software deployment to software retirement/removal. Embodiments support governance and control processes that exist in the corporate environment.
  • the first is process artifact traceability.
  • Software generally goes through multiple phases during its lifecycle, from initial inception and design, though construction, testing, release, and eventually retirement. Each of these phases generates data records that are typically held in multiple tools and systems. These tools must be linked up to provide full visibility into software supply chain (e.g., plan, develop, compile, build, scan, test, deploy, release, run).
  • Planning process artifacts may include bug fixes references, new feature references, class diagrams, use cases, design and architecture, business requirements, etc.
  • Development process artifacts may include bug fixes references, commit references, author(s), change histories, software versions, etc.
  • Compile process artifacts may include compile tool versions, dependency information, etc.
  • Build process artifacts may include build definitions, unit test results, package signatures, etc.
  • Scan process artifacts may include quality scan results, security scan results, risk scan results, etc.
  • Test process artifacts may include test plans, test results, performance/limits/capacity analysis, test acceptance, etc.
  • Deploy process artifacts may include deployment configurations, dependency configurations, server environments, etc. Release process artifacts may include server configurations, dependency configurations, server environment, etc. Run process artifacts may include error logs, resource usage, process history, etc.
  • the second is software artifact traceability.
  • Most running software is assembled from a number of separate components usually involving application code, third party libraries, and run time dependencies. Understanding the origin and use of these components, where and which versions are used, and where they were sourced is required to be able to fully support a piece of software. These can constantly change over time due to bug fixes, security fixes, licensing requirements or business needs.
  • Software artifacts may include code, binaries, libraries, and packages.
  • the metadata stored may be signed by the source of the data.
  • Digital signing requires each system producing data to have its own certificate that can identify the system.
  • Code signing utilizes public key cryptography to create a digital signature that can uniquely identify an artifact and its originating owner. This digital signature may be provided as an additional piece of metadata to the data store.
  • data for the application may be provided to the data store by posting to a REST interface which would in turn store the data appropriately. Additional REST interfaces may be provided to retrieve data from the store to allow for the reporting of any software artifact as is necessary and/or desired.
  • control systems such as approval systems or automated deployment systems. This may be achieved by either providing comprehensive reporting to the approver, or by creating auto-approval systems based on the solution. For example, minimum standards for risk and quality scan results, or performance test results, may be used to support any control decisions.
  • control systems may base decisions on adherence to other corporate policies, such as the particular source code repositories or build systems being used to produce the data, as well as machine learning.
  • Third party software may also leverage this solution, where the use of any software may be dictated by the metadata held around the software. This may include risk information, such as known software issues, vendor licensing restrictions, and/or architectural choices.
  • each process or event within an application's lifecycle may be a “transaction” for which the meta-data may be written as a new block, or part of a new block, on the chain.
  • each transaction may create a permanent record and may allow each part of the software supply chain to be linked together.
  • each application may have its own SDLC history written to the distributed ledger.
  • each instance of the application may have its own SDLC history written to the distributed ledger (e.g., each instance of an application may share a common SDLC history from development to deployment, but may have a specific SDLC history following deployment based on how and/or where it was deployed, how it was, used, etc.).
  • the application lifecycle data may have a number of applications. For example, because the data source is both immutable and known, it may be used to make automated deployment solutions. Examples include verifying that all software has followed the correct software creation process, verifying that appropriate quality and security levels have been met, analysis of what testing has been performed, etc. If the information does not exist or does not meet the minimum requirements, this may be flagged to the deployment team for automated resolution, or it may trigger a manual exception process. Whether the approval decision is manual or automated, the decision may be added to the traceability records.
  • the data may be used to assess vulnerability.
  • new software vulnerabilities are identified, in order to understand their likely impact, it is necessary to understand where and how the vulnerable software is used. This requires not only knowing what software contains the vulnerability, but also where that software is currently running By interrogating the traceability records, this information may be easily retrieved.
  • the approval systems are also using the traceability data, they may prevent any further deployments of the vulnerable software.
  • having all the data records of each of the tools in the software supply chain across all software delivery may provide valuable insights into the performance of the entire software delivery process and performance of the SDLC. This may be based on, for example, how the tools of the SDLC process themselves are performing (e.g., the number of builds through the build systems, deployment velocities, etc.).
  • run-time failures may be correlated to code quality or fragile testing discipline. Reports on process compliance may be generated, and may identify potential bottlenecks in the whole process flow.
  • the data may be used to monitor resource usage.
  • the move to automation in software delivery with increased adoption of Continuous Integration (CI) and Continuous Delivery (CD) methods has resulted in an increase in the amount of hardware compute and storage resources required to support it.
  • the software traceability data may manage both existing requirements and potential future demand. By understanding what software is actually running in production environments, and identifying what software is no longer running, being used, etc., older versions may be removed, and the storage resources released. Existing build and deployment numbers may be tracked to understand adoption numbers observe usage trends and plan for expansion of hardware resources or license expansion.
  • Combining the traceability data with operational data and business data may provide insights in terms of costs and effectiveness of solutions. For example, as the traceability data may allow tracing an application back to the business requirements, and combining that data with real customer feedback may establish whether the application delivered (or is delivering) in terms of its intended purpose. Understanding the progression of software through the SDLC may also allow the business to understand software development tooling in terms of value rather than costs.
  • machine learning may be applied to the traceability data to identify issues through the SDLC. For example, unusually large code bases or long build times may indicate issues with application structure. Alternatively, abnormal patterns of behavior may be identified, such as unusual code commits or deployment activity, which may indicate malicious activity. Machine learning may assist in analyzing how applications are developed, how they perform, and how users interact with the application, therefore providing a greater understanding of the impact of code releases on the business objectives.
  • System 100 may include software tools 110 1 , 110 2 , . . . 110 n , controller 120 , metadata store 130 , and present state database 140 .
  • Each software tool 110 may create a metadata artifact in response to an external event, such as creating a requirement or defect record in a planning system, committing a line of code in a source code management tool, a software build, completion of a test or scan, deployment to an end system, a process starting on a server, etc.
  • the events that are traced may depend on the use case of the supply chain data.
  • Metadata may include, for example, an artifact name, an organization ID, a creation time (e.g., UTC), an artifact type, artifact data, an artifact hash, a reference of the hash, a reference ID of creating tool, list of supply chain references, etc.) Additional metadata may be added depending on the use case, or may be provided by the artifacts themselves. In one embodiment, the artifacts may not be stored; only references to the artifacts are stored. Artifacts may be maintained by the respective tool 110 , or in a separate artifact repository (not shown).
  • a metadata artifact refers to the actual record of an event
  • metadata refers to the data that is written to a store, such as a distributed ledger.
  • the metadata artifact may refer to, or be part of, the metadata itself (e.g., a deploy record will reference the deployment system that will have the actual record of where the software is deployed, or the metadata could hold that information itself).
  • Each software tool 110 may include a certificate to identify the tool, with a public/private key pair used to encrypt and decrypt the hash of the metadata.
  • each software tool 110 may include a plurality of certificates that may change over time, depending on the requirements of the system. Certificates may be generated by a trusted source.
  • Signing the metadata may not preclude attaching data to the supply chain data.
  • the interpretation of unsigned data may be the responsibility of the system viewing the data.
  • an automated approval system may not approve a deployment from an unknown source depending on the environment
  • a compliance tool may not approve a deployment from an unknown source depending on the environment
  • a compliance tool may raise an exception against a tool that is not known, etc.
  • metadata store 130 is permissioned, then unsigned artifacts may not be accepted.
  • the metadata may be made available.
  • Each software tool 110 may create a recordable artifact. Examples include a data record that references a defect ticket, a record of a deployment, a test summary, etc. For large data artifacts, such as binary files, build bill of materials, scan results, detailed test results, a reference to the original data may be maintained.
  • Software tools 110 may produce a hash of the data with a reference to the data so that the data may be verified.
  • Each software tool 110 may supply a list of references to elements from the supply chain that it has leveraged. Examples include a reference to a defect ticket, a source code commit, a third-party complier used as part of a build, environment data, etc. For certain events, the file artifact hash may be the only reference required to link the data to the respective tool 110 in the tool chain.
  • each individual file comprising the composite file may create a separate metadata artifact referring to the composite file type.
  • archive file formats e.g., zip, tar, Java jar, War, etc.
  • packaged software formats e.g., RPM, Nuget, NPM, etc.
  • Examples of software tools may include, for example, JIRA, GIT, GITHUB, BITBUCKET, GITLABS, JENKINS, TEAM CITY, MICROSOFT VSTS, BLACKDUCK, AQUA, JFROG ARTIFACTORY, NEXUS, SPINNAKER, etc.
  • Controller 120 may include one or more electronic devices (e.g., servers, workstations, cloud, etc.) that may execute a program or application that may abstract supply chain data from the actual storage technology so that each SDLC tool may write the data without having to understand or implement the underlying storage technology. It may control access to metadata store 130 in a permissioned system, and may enforce any policy rules (e.g., not accepting unsigned data or data signed from unknown sources). It may also check whether the data already exists, and may create the transaction to be written to metadata store 130 .
  • electronic devices e.g., servers, workstations, cloud, etc.
  • software tools 110 may communicate with controller 110 using a message bus (not shown).
  • Metadata store 130 may be a source of reference data. Metadata store 130 may include one or more stores.
  • metadata store 130 may be immutable.
  • metadata store 130 may use blockchain, hashgraphs, stream processing services (e.g., immutable stream based messaging, such as Kafka), noSQL databases, conventional relational databases, etc.
  • metadata store 130 may include multiple, different instances or storage solutions.
  • a distributed, un-permissioned blockchain solution may be maintained for external dependency records
  • a hashgraph may be used for the SDLC tool chain tools
  • a stream processing platform may be used for deployment and run-time events.
  • Metadata store 130 may be permissioned and private, or it may be public and un-permissioned.
  • metadata store 130 may only be updated by controller 120 .
  • Present state database 140 may be a key/value pair database where each key is a value of the metadata stored and provides a reference to the underlying data source record. It may provide a simplified search of the underlying metadata store.
  • present state database 140 may be reconstructed from data in metadata store 130 . It may be updated by controller 120 or may be created as part of an event to metadata store 130 .
  • FIG. 2 an exemplary process of distributed ledger-based software supply chain management is disclosed according to one embodiment.
  • a software development lifecycle event occurs. Examples include creating a requirement or defect record in a planning system, committing a line of code in a source code management tool, a software build, completion of a test or scan, deployment to an end system, a process starting on a server, etc.
  • a software tool that is involved in the software development lifecycle may create a metadata artifact for the event.
  • the software tool may encrypt the metadata artifact with a private key, and in step 220 , may communicate the signed metadata artifact to a controller.
  • the signed metadata artifact may be communicated using a message bus.
  • the controller may decrypt the metadata artifact to verify the software tool and, in step 230 , the controller may write the metadata artifact to a metadata store.
  • the metadata store may maintain an immutable record, such as a blockchain-based ledger, a hashgraph, etc.
  • Other types of stores such as stream processing services, noSQL databases, conventional relational databases, etc. may be used as is necessary and/or desired.
  • the controller may update a present state database with values of the metadata keys referring to the artifact in the metadata store.
  • step 210 the process may continue with step 210 .
  • a method for retrieving traceability data from a distributed ledger is disclosed according to one embodiment.
  • a file of interest may be received.
  • the file of interest may be a file for which it is desired to identify the source.
  • a hash of the file of the interest is generated.
  • the hash may uniquely identify the file of interest.
  • the hash may be used to search the present state database.
  • a distributed ledger may be searched for the hash, and the present state database may be reconstructed from the metadata store.
  • one or more records may be identified as matching the hash.
  • the block(s) referenced by the one or more records may be retrieved from the metadata store.
  • the metadata store may include a distributed ledger.
  • compressed file archive(s) from the block record(s) may be retrieved with the associated record from the present state database.
  • step 330 if there are additional records identified in step 315 , the process may be repeated until all compressed file archives and associated records are retrieved.
  • step 335 after all records are retrieved, one or more additional actions may be taken.
  • the record(s) may be provided to the user, provided in a report, may be used by other systems, etc.
  • the action(s) taken may depend on the particular use case, the purpose of the retrieval, etc. For example, if the file is a malicious file, the source of the file may be returned. As another example, if the developer seeks to fix code, the developer may seek the source code. Any other suitable use may be provided as is necessary and/or desired.
  • the system of the invention or portions of the system of the invention may be in the form of a “processing machine,” such as a general purpose computer, for example.
  • processing machine is to be understood to include at least one processor that uses at least one memory.
  • the at least one memory stores a set of instructions.
  • the instructions may be either permanently or temporarily stored in the memory or memories of the processing machine.
  • the processor executes the instructions that are stored in the memory or memories in order to process data.
  • the set of instructions may include various instructions that perform a particular task or tasks, such as those tasks described above. Such a set of instructions for performing a particular task may be characterized as a program, software program, or simply software.
  • the processing machine may be a specialized processor.
  • the processing machine executes the instructions that are stored in the memory or memories to process data.
  • This processing of data may be in response to commands by a user or users of the processing machine, in response to previous processing, in response to a request by another processing machine and/or any other input, for example.
  • the processing machine used to implement the invention may be a general purpose computer.
  • the processing machine described above may also utilize any of a wide variety of other technologies including a special purpose computer, a computer system including, for example, a microcomputer, mini-computer or mainframe, a programmed microprocessor, a micro-controller, a peripheral integrated circuit element, a CSIC (Customer Specific Integrated Circuit) or ASIC (Application Specific Integrated Circuit) or other integrated circuit, a logic circuit, a digital signal processor, a programmable logic device such as a FPGA, PLD, PLA or PAL, or any other device or arrangement of devices that is capable of implementing the steps of the processes of the invention.
  • the processing machine used to implement the invention may utilize a suitable operating system.
  • embodiments of the invention may include a processing machine running the iOS operating system, the OS X operating system, the Android operating system, the Microsoft WindowsTM operating systems, the Unix operating system, the Linux operating system, the Xenix operating system, the IBM AIXTM operating system, the Hewlett-Packard UXTM operating system, the Novell NetwareTM operating system, the Sun Microsystems SolarisTM operating system, the OS/2TM operating system, the BeOSTM operating system, the Macintosh operating system, the Apache operating system, an OpenStepTM operating system or another operating system or platform.
  • each of the processors and/or the memories of the processing machine may be located in geographically distinct locations and connected so as to communicate in any suitable manner.
  • each of the processor and/or the memory may be composed of different physical pieces of equipment. Accordingly, it is not necessary that the processor be one single piece of equipment in one location and that the memory be another single piece of equipment in another location. That is, it is contemplated that the processor may be two pieces of equipment in two different physical locations. The two distinct pieces of equipment may be connected in any suitable manner. Additionally, the memory may include two or more portions of memory in two or more physical locations.
  • processing is performed by various components and various memories.
  • the processing performed by two distinct components as described above may, in accordance with a further embodiment of the invention, be performed by a single component.
  • the processing performed by one distinct component as described above may be performed by two distinct components.
  • the memory storage performed by two distinct memory portions as described above may, in accordance with a further embodiment of the invention, be performed by a single memory portion.
  • the memory storage performed by one distinct memory portion as described above may be performed by two memory portions.
  • various technologies may be used to provide communication between the various processors and/or memories, as well as to allow the processors and/or the memories of the invention to communicate with any other entity; i.e., so as to obtain further instructions or to access and use remote memory stores, for example.
  • Such technologies used to provide such communication might include a network, the Internet, Intranet, Extranet, LAN, an Ethernet, wireless communication via cell tower or satellite, or any client server system that provides communication, for example.
  • Such communications technologies may use any suitable protocol such as TCP/IP, UDP, or OSI, for example.
  • a set of instructions may be used in the processing of the invention.
  • the set of instructions may be in the form of a program or software.
  • the software may be in the form of system software or application software, for example.
  • the software might also be in the form of a collection of separate programs, a program module within a larger program, or a portion of a program module, for example.
  • the software used might also include modular programming in the form of object oriented programming. The software tells the processing machine what to do with the data being processed.
  • the instructions or set of instructions used in the implementation and operation of the invention may be in a suitable form such that the processing machine may read the instructions.
  • the instructions that form a program may be in the form of a suitable programming language, which is converted to machine language or object code to allow the processor or processors to read the instructions. That is, written lines of programming code or source code, in a particular programming language, are converted to machine language using a compiler, assembler or interpreter.
  • the machine language is binary coded machine instructions that are specific to a particular type of processing machine, i.e., to a particular type of computer, for example. The computer understands the machine language.
  • any suitable programming language may be used in accordance with the various embodiments of the invention.
  • the programming language used may include assembly language, Ada, APL, Basic, C, C++, COBOL, dBase, Forth, Fortran, Java, Modula-2, Pascal, Prolog, REXX, Visual Basic, and/or JavaScript, for example.
  • assembly language Ada
  • APL APL
  • Basic Basic
  • C C
  • C++ C++
  • COBOL COBOL
  • dBase Forth
  • Fortran Fortran
  • Java Modula-2
  • Pascal Pascal
  • Prolog Prolog
  • REXX REXX
  • Visual Basic Visual Basic
  • JavaScript JavaScript
  • instructions and/or data used in the practice of the invention may utilize any compression or encryption technique or algorithm, as may be desired.
  • An encryption module might be used to encrypt data.
  • files or other data may be decrypted using a suitable decryption module, for example.
  • the invention may illustratively be embodied in the form of a processing machine, including a computer or computer system, for example, that includes at least one memory.
  • the set of instructions i.e., the software for example, that enables the computer operating system to perform the operations described above may be contained on any of a wide variety of media or medium, as desired.
  • the data that is processed by the set of instructions might also be contained on any of a wide variety of media or medium. That is, the particular medium, i.e., the memory in the processing machine, utilized to hold the set of instructions and/or the data used in the invention may take on any of a variety of physical forms or transmissions, for example.
  • the medium may be in the form of paper, paper transparencies, a compact disk, a DVD, an integrated circuit, a hard disk, a floppy disk, an optical disk, a magnetic tape, a RAM, a ROM, a PROM, an EPROM, a wire, a cable, a fiber, a communications channel, a satellite transmission, a memory card, a SIM card, or other remote transmission, as well as any other medium or source of data that may be read by the processors of the invention.
  • the memory or memories used in the processing machine that implements the invention may be in any of a wide variety of forms to allow the memory to hold instructions, data, or other information, as is desired.
  • the memory might be in the form of a database to hold data.
  • the database might use any desired arrangement of files such as a flat file arrangement or a relational database arrangement, for example.
  • a user interface includes any hardware, software, or combination of hardware and software used by the processing machine that allows a user to interact with the processing machine.
  • a user interface may be in the form of a dialogue screen for example.
  • a user interface may also include any of a mouse, touch screen, keyboard, keypad, voice reader, voice recognizer, dialogue screen, menu box, list, checkbox, toggle switch, a pushbutton or any other device that allows a user to receive information regarding the operation of the processing machine as it processes a set of instructions and/or provides the processing machine with information.
  • the user interface is any device that provides communication between a user and a processing machine.
  • the information provided by the user to the processing machine through the user interface may be in the form of a command, a selection of data, or some other input, for example.
  • a user interface is utilized by the processing machine that performs a set of instructions such that the processing machine processes data for a user.
  • the user interface is typically used by the processing machine for interacting with a user either to convey information or receive information from the user.
  • the user interface of the invention might interact, i.e., convey and receive information, with another processing machine, rather than a human user. Accordingly, the other processing machine might be characterized as a user.
  • a user interface utilized in the system and method of the invention may interact partially with another processing machine or processing machines, while also interacting partially with a human user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Stored Programmes (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

Systems and methods for distributed ledger-based software supply chain management are disclosed. According to one embodiment, in an information processing apparatus comprising at least one computer processor, a method for distributed ledger-based software supply chain management may include: (1) receiving, from a software tool, a metadata artifact for a software development lifecycle event; (2) writing the metadata artifact to a metadata store; and (3) updating a present state database with values for metadata keys referencing the metadata artifact in the metadata store.

Description

RELATED APPLICATIONS
This application claims priority to, and the benefit of, U.S. Provisional Patent Application Ser. No. 62/699,313 filed Jul. 17, 2018, the disclosure of which is hereby incorporated, by reference, in its entirety.
BACKGROUND OF THE INVENTION 1. Field of the Invention
The present disclosure generally relates to systems and methods for distributed ledger-based software supply chain management.
2. Description of the Related Art
Within software development, the processes and tools used are often disjointed at each phase of the development lifecycle. The origins and composition of software components are often overlooked, particularly for open source and free software.
SUMMARY OF THE INVENTION
Systems and methods for distributed ledger-based software supply chain management are disclosed. According to one embodiment, in an information processing apparatus comprising at least one computer processor, a method for distributed ledger-based software supply chain management may include: (1) receiving, from a software tool, a metadata artifact for a software development lifecycle event; (2) writing the metadata artifact to a metadata store; and (3) updating a present state database with values for metadata keys referencing the metadata artifact in the metadata store.
In one embodiment, the software development lifecycle event may include one or more of creating a requirement or a defect record in a planning system, committing a line of code in a source code management tool, a software build, completion of a test or scan, a deployment to an end system, and a process starting on a server.
In one embodiment, the metadata artifact may include at least one of an artifact name, an organization ID, a creation time, an artifact type, an artifact data, an artifact hash, a reference of hash, and a reference ID of the software tool.
In one embodiment, the metadata artifact may refer to the software development lifecycle event.
In one embodiment, the software tool may be part of a software lifecycle.
In one embodiment, the metadata artifact may be encrypted, and the method may also include decrypting the metadata artifact.
In one embodiment, the metadata artifact may be received over a message bus.
In one embodiment, the metadata store may maintain an immutable record of the metadata artifact.
In one embodiment, the metadata store may include a blockchain-based distributed ledger, a hashgraph, a stream processing service, a noSQL database, a conventional relational database, etc.
In one embodiment, the present state database may include a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record.
According to another embodiment, in an information processing apparatus comprising at least one computer processor, a method for distributed ledger-based software supply chain management may include: (1) receiving a file of interest; (2) generating a hash of the file of interest, wherein the hash uniquely identifies the file of interest; (3) searching a present state database with the hash; (4) receiving a record from the present state database that matches the hash; (5) retrieving a block from a metadata store referenced by the record; and (6) retrieving a file archive associated with the record.
In one embodiment, the metadata store may maintain an immutable record of the metadata artifact.
In one embodiment, the metadata store may include a blockchain-based distributed ledger, a hashgraph, a stream processing service, a noSQL database, a conventional relational database, etc.
In one embodiment, the present state database may include a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record.
In one embodiment, the method may further include providing the file archive to a downstream system.
In one embodiment, the file archive may identify a source of the file of interest, may include source code for the file of interest, etc.
According to another embodiment, a system for distributed ledger-based software supply chain management may include a plurality of software development tools; a controller; a metadata store, wherein the metadata store maintains an immutable record of a plurality of metadata artifacts; and a present state database comprising a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record. The controller may receive a metadata artifact for a software development lifecycle event from one of the software development tools; may write the metadata artifact to the metadata store; and may update the present state database with values for metadata keys referencing the metadata artifact in the metadata store.
In one embodiment, the controller may further receive a file of interest; may generate a hash of the file of interest, wherein the hash uniquely identifies the file of interest; may search the present state database with the hash; may retrieve a record from the present state database that matches the hash; may retrieve a block from a metadata store referenced by the record; and may retrieve a file archive associated with the record.
BRIEF DESCRIPTION OF THE DRAWINGS
For a more complete understanding of the present invention, the objects and advantages thereof, reference is now made to the following descriptions taken in connection with the accompanying drawings in which:
FIG. 1 depicts a system for distributed ledger-based software supply chain management according to one embodiment;
FIG. 2 depicts a method for distributed ledger-based software supply chain management according to one embodiment; and
FIG. 3 depicts a method for distributed ledger-based software supply chain management according to one embodiment.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
Systems and methods for distributed ledger-based software supply chain management are disclosed.
Embodiments disclosed herein provide traceability throughout the software lifecycle, for example, from software development to software deployment to software retirement/removal. Embodiments support governance and control processes that exist in the corporate environment.
In order to understand the traceability through the software supply chain, two key areas need to be considered. The first is process artifact traceability. Software generally goes through multiple phases during its lifecycle, from initial inception and design, though construction, testing, release, and eventually retirement. Each of these phases generates data records that are typically held in multiple tools and systems. These tools must be linked up to provide full visibility into software supply chain (e.g., plan, develop, compile, build, scan, test, deploy, release, run).
Planning process artifacts may include bug fixes references, new feature references, class diagrams, use cases, design and architecture, business requirements, etc. Development process artifacts may include bug fixes references, commit references, author(s), change histories, software versions, etc. Compile process artifacts may include compile tool versions, dependency information, etc. Build process artifacts may include build definitions, unit test results, package signatures, etc. Scan process artifacts may include quality scan results, security scan results, risk scan results, etc. Test process artifacts may include test plans, test results, performance/limits/capacity analysis, test acceptance, etc. Deploy process artifacts may include deployment configurations, dependency configurations, server environments, etc. Release process artifacts may include server configurations, dependency configurations, server environment, etc. Run process artifacts may include error logs, resource usage, process history, etc.
The second is software artifact traceability. Most running software is assembled from a number of separate components usually involving application code, third party libraries, and run time dependencies. Understanding the origin and use of these components, where and which versions are used, and where they were sourced is required to be able to fully support a piece of software. These can constantly change over time due to bug fixes, security fixes, licensing requirements or business needs.
Software artifacts may include code, binaries, libraries, and packages.
Once the traceability records have been established, one needs to ensure that records are accurate and have not been manipulated. This is essential for any audit trail for the production of software. The auditability of the software process can be thought of in the reverse direction to the production of software—given a piece of running software, can you identify how and why it got into a running state, including quality and approvals, along with the components and code used to build it?
Traditionally, the auditability and traceability of software has been a manual, or, at best, a semi-automated process, and normally only goes to the point of making the software available for deployment. Modern software construction, however, involves continuous integration and delivery to multiple auto-scaling cloud environments, which means that manual controls are not sufficient. There is a clear need to be able to automatically record and update records of both the software processes and artifact.
In order to be able to guarantee the validity of any artifact, the metadata stored may be signed by the source of the data. Digital signing requires each system producing data to have its own certificate that can identify the system. Code signing utilizes public key cryptography to create a digital signature that can uniquely identify an artifact and its originating owner. This digital signature may be provided as an additional piece of metadata to the data store.
Organizations often have a number of software data repositories for software artifacts. Data stores are generally built around the very specific needs of the software system that holds the data. For example, there are standard repositories offering common reusable components distributed by language specific dependency management solutions such as MAVEN for JAVA, NPM for node.js and NUGET for .Net applications. Common software package formats for installing packages also have repository solutions offering package dependency management, such as YELLOWDOG UPDATER, Modified (YUM) for RPM and ADVANCED PACKAGE TOOL (APT) for DEBIAN packages. Further software repository types containing full Virtual Machine Images and more latterly container images also exist. Most of these repository types have versions available for public consumption. In addition, a number of vendors offer repositories that support multiple different repository types.
All of these repositories have the ability to store both software and artifact data (e.g., details of what version of the tool that was used) and may be leveraged as data stores.
In embodiments, data for the application may be provided to the data store by posting to a REST interface which would in turn store the data appropriately. Additional REST interfaces may be provided to retrieve data from the store to allow for the reporting of any software artifact as is necessary and/or desired.
Along with reporting on software artifacts, data from the software development life cycle, or SDLC, may be leveraged to support the control systems such as approval systems or automated deployment systems. This may be achieved by either providing comprehensive reporting to the approver, or by creating auto-approval systems based on the solution. For example, minimum standards for risk and quality scan results, or performance test results, may be used to support any control decisions. In one embodiment, control systems may base decisions on adherence to other corporate policies, such as the particular source code repositories or build systems being used to produce the data, as well as machine learning.
Third party software may also leverage this solution, where the use of any software may be dictated by the metadata held around the software. This may include risk information, such as known software issues, vendor licensing restrictions, and/or architectural choices.
In one embodiment, each process or event within an application's lifecycle may be a “transaction” for which the meta-data may be written as a new block, or part of a new block, on the chain. For example, each transaction may create a permanent record and may allow each part of the software supply chain to be linked together.
In one embodiment, each application may have its own SDLC history written to the distributed ledger. In another embodiment, each instance of the application may have its own SDLC history written to the distributed ledger (e.g., each instance of an application may share a common SDLC history from development to deployment, but may have a specific SDLC history following deployment based on how and/or where it was deployed, how it was, used, etc.).
The application lifecycle data may have a number of applications. For example, because the data source is both immutable and known, it may be used to make automated deployment solutions. Examples include verifying that all software has followed the correct software creation process, verifying that appropriate quality and security levels have been met, analysis of what testing has been performed, etc. If the information does not exist or does not meet the minimum requirements, this may be flagged to the deployment team for automated resolution, or it may trigger a manual exception process. Whether the approval decision is manual or automated, the decision may be added to the traceability records.
Traditional models, where software is promoted to a deployable state and made available via a software repository, are point-in-time decisions that may be made well in advance of actual deployment. Because, in embodiments, the full traceability records for the software exist, all the information associated with the software is known at deployment time and can be checked should new information become available about the legitimacy of the software. For example, this may be something as simple as the traceability record containing a flag indicating the software has now been retired, or more complex decisions based on the dependency information, combined with the time of the scans and new vulnerability records being created.
In one embodiment, the data may be used to assess vulnerability. When new software vulnerabilities are identified, in order to understand their likely impact, it is necessary to understand where and how the vulnerable software is used. This requires not only knowing what software contains the vulnerability, but also where that software is currently running By interrogating the traceability records, this information may be easily retrieved. In addition, if the approval systems are also using the traceability data, they may prevent any further deployments of the vulnerable software.
In another embodiment, having all the data records of each of the tools in the software supply chain across all software delivery may provide valuable insights into the performance of the entire software delivery process and performance of the SDLC. This may be based on, for example, how the tools of the SDLC process themselves are performing (e.g., the number of builds through the build systems, deployment velocities, etc.). In embodiments, run-time failures may be correlated to code quality or fragile testing discipline. Reports on process compliance may be generated, and may identify potential bottlenecks in the whole process flow.
In another embodiment, the data may be used to monitor resource usage. The move to automation in software delivery with increased adoption of Continuous Integration (CI) and Continuous Delivery (CD) methods has resulted in an increase in the amount of hardware compute and storage resources required to support it. The software traceability data may manage both existing requirements and potential future demand. By understanding what software is actually running in production environments, and identifying what software is no longer running, being used, etc., older versions may be removed, and the storage resources released. Existing build and deployment numbers may be tracked to understand adoption numbers observe usage trends and plan for expansion of hardware resources or license expansion.
Combining the traceability data with operational data and business data may provide insights in terms of costs and effectiveness of solutions. For example, as the traceability data may allow tracing an application back to the business requirements, and combining that data with real customer feedback may establish whether the application delivered (or is delivering) in terms of its intended purpose. Understanding the progression of software through the SDLC may also allow the business to understand software development tooling in terms of value rather than costs.
In one embodiment, machine learning may be applied to the traceability data to identify issues through the SDLC. For example, unusually large code bases or long build times may indicate issues with application structure. Alternatively, abnormal patterns of behavior may be identified, such as unusual code commits or deployment activity, which may indicate malicious activity. Machine learning may assist in analyzing how applications are developed, how they perform, and how users interact with the application, therefore providing a greater understanding of the impact of code releases on the business objectives.
Referring to FIG. 1, system for distributed ledger-based software supply chain management is disclosed according to one embodiment. System 100 may include software tools 110 1, 110 2, . . . 110 n, controller 120, metadata store 130, and present state database 140.
Each software tool 110 may create a metadata artifact in response to an external event, such as creating a requirement or defect record in a planning system, committing a line of code in a source code management tool, a software build, completion of a test or scan, deployment to an end system, a process starting on a server, etc. The events that are traced may depend on the use case of the supply chain data. Examples of metadata may include, for example, an artifact name, an organization ID, a creation time (e.g., UTC), an artifact type, artifact data, an artifact hash, a reference of the hash, a reference ID of creating tool, list of supply chain references, etc.) Additional metadata may be added depending on the use case, or may be provided by the artifacts themselves. In one embodiment, the artifacts may not be stored; only references to the artifacts are stored. Artifacts may be maintained by the respective tool 110, or in a separate artifact repository (not shown).
As used herein, a metadata artifact refers to the actual record of an event, and metadata refers to the data that is written to a store, such as a distributed ledger. For example, the metadata artifact may refer to, or be part of, the metadata itself (e.g., a deploy record will reference the deployment system that will have the actual record of where the software is deployed, or the metadata could hold that information itself).
Each software tool 110 may include a certificate to identify the tool, with a public/private key pair used to encrypt and decrypt the hash of the metadata. In one embodiment, each software tool 110 may include a plurality of certificates that may change over time, depending on the requirements of the system. Certificates may be generated by a trusted source.
Signing the metadata may not preclude attaching data to the supply chain data. The interpretation of unsigned data may be the responsibility of the system viewing the data. For example, an automated approval system may not approve a deployment from an unknown source depending on the environment, a compliance tool may not approve a deployment from an unknown source depending on the environment, a compliance tool may raise an exception against a tool that is not known, etc. In one embodiment, if metadata store 130 is permissioned, then unsigned artifacts may not be accepted.
In one embodiment, once generated, the metadata may be made available.
Each software tool 110 may create a recordable artifact. Examples include a data record that references a defect ticket, a record of a deployment, a test summary, etc. For large data artifacts, such as binary files, build bill of materials, scan results, detailed test results, a reference to the original data may be maintained.
Software tools 110 may produce a hash of the data with a reference to the data so that the data may be verified.
Each software tool 110 may supply a list of references to elements from the supply chain that it has leveraged. Examples include a reference to a defect ticket, a source code commit, a third-party complier used as part of a build, environment data, etc. For certain events, the file artifact hash may be the only reference required to link the data to the respective tool 110 in the tool chain.
For references to composite file types, such as archive file formats (e.g., zip, tar, Java jar, War, etc.), and packaged software formats (e.g., RPM, Nuget, NPM, etc.), each individual file comprising the composite file may create a separate metadata artifact referring to the composite file type.
Examples of software tools may include, for example, JIRA, GIT, GITHUB, BITBUCKET, GITLABS, JENKINS, TEAM CITY, MICROSOFT VSTS, BLACKDUCK, AQUA, JFROG ARTIFACTORY, NEXUS, SPINNAKER, etc.
Controller 120 may include one or more electronic devices (e.g., servers, workstations, cloud, etc.) that may execute a program or application that may abstract supply chain data from the actual storage technology so that each SDLC tool may write the data without having to understand or implement the underlying storage technology. It may control access to metadata store 130 in a permissioned system, and may enforce any policy rules (e.g., not accepting unsigned data or data signed from unknown sources). It may also check whether the data already exists, and may create the transaction to be written to metadata store 130.
In one embodiment, software tools 110 may communicate with controller 110 using a message bus (not shown).
Metadata store 130 may be a source of reference data. Metadata store 130 may include one or more stores.
In one embodiment, metadata store 130 may be immutable. For example, metadata store 130 may use blockchain, hashgraphs, stream processing services (e.g., immutable stream based messaging, such as Kafka), noSQL databases, conventional relational databases, etc.
In one embodiment, metadata store 130 may include multiple, different instances or storage solutions. For example, a distributed, un-permissioned blockchain solution may be maintained for external dependency records, a hashgraph may be used for the SDLC tool chain tools, and a stream processing platform may be used for deployment and run-time events.
In one embodiment, all metadata may be written to metadata store 130. Metadata store 130 may be permissioned and private, or it may be public and un-permissioned.
In one embodiment, metadata store 130 may only be updated by controller 120.
Present state database 140 may be a key/value pair database where each key is a value of the metadata stored and provides a reference to the underlying data source record. It may provide a simplified search of the underlying metadata store.
In one embodiment, present state database 140 may be reconstructed from data in metadata store 130. It may be updated by controller 120 or may be created as part of an event to metadata store 130.
Referring to FIG. 2, an exemplary process of distributed ledger-based software supply chain management is disclosed according to one embodiment.
In step 205, a software development lifecycle event occurs. Examples include creating a requirement or defect record in a planning system, committing a line of code in a source code management tool, a software build, completion of a test or scan, deployment to an end system, a process starting on a server, etc.
In step 210, a software tool that is involved in the software development lifecycle may create a metadata artifact for the event.
In step 215, the software tool may encrypt the metadata artifact with a private key, and in step 220, may communicate the signed metadata artifact to a controller. In one embodiment, the signed metadata artifact may be communicated using a message bus.
In step 225, the controller may decrypt the metadata artifact to verify the software tool and, in step 230, the controller may write the metadata artifact to a metadata store. In one embodiment, the metadata store may maintain an immutable record, such as a blockchain-based ledger, a hashgraph, etc. Other types of stores, such as stream processing services, noSQL databases, conventional relational databases, etc. may be used as is necessary and/or desired.
In step 235, the controller may update a present state database with values of the metadata keys referring to the artifact in the metadata store.
If there is another lifecycle event, the process may continue with step 210.
Referring to FIG. 3, a method for retrieving traceability data from a distributed ledger is disclosed according to one embodiment.
In step 305, a file of interest may be received. For example, the file of interest may be a file for which it is desired to identify the source.
In step 310, a hash of the file of the interest is generated. In one embodiment, the hash may uniquely identify the file of interest.
In step 315, the hash may be used to search the present state database. In another embodiment, a distributed ledger may be searched for the hash, and the present state database may be reconstructed from the metadata store.
In one embodiment, one or more records may be identified as matching the hash.
In step 320, the block(s) referenced by the one or more records may be retrieved from the metadata store. In one embodiment, the metadata store may include a distributed ledger.
In step 325, compressed file archive(s) from the block record(s) may be retrieved with the associated record from the present state database.
In step 330, if there are additional records identified in step 315, the process may be repeated until all compressed file archives and associated records are retrieved.
In one embodiment, in step 335, after all records are retrieved, one or more additional actions may be taken. For example, the record(s) may be provided to the user, provided in a report, may be used by other systems, etc. The action(s) taken may depend on the particular use case, the purpose of the retrieval, etc. For example, if the file is a malicious file, the source of the file may be returned. As another example, if the developer seeks to fix code, the developer may seek the source code. Any other suitable use may be provided as is necessary and/or desired.
Although multiple embodiments have been disclosed, it should be recognized that these embodiments are not mutually exclusive, and features from one embodiment may be used with others.
Hereinafter, general aspects of implementation of the systems and methods of the invention will be described.
The system of the invention or portions of the system of the invention may be in the form of a “processing machine,” such as a general purpose computer, for example. As used herein, the term “processing machine” is to be understood to include at least one processor that uses at least one memory. The at least one memory stores a set of instructions. The instructions may be either permanently or temporarily stored in the memory or memories of the processing machine. The processor executes the instructions that are stored in the memory or memories in order to process data. The set of instructions may include various instructions that perform a particular task or tasks, such as those tasks described above. Such a set of instructions for performing a particular task may be characterized as a program, software program, or simply software.
In one embodiment, the processing machine may be a specialized processor.
As noted above, the processing machine executes the instructions that are stored in the memory or memories to process data. This processing of data may be in response to commands by a user or users of the processing machine, in response to previous processing, in response to a request by another processing machine and/or any other input, for example.
As noted above, the processing machine used to implement the invention may be a general purpose computer. However, the processing machine described above may also utilize any of a wide variety of other technologies including a special purpose computer, a computer system including, for example, a microcomputer, mini-computer or mainframe, a programmed microprocessor, a micro-controller, a peripheral integrated circuit element, a CSIC (Customer Specific Integrated Circuit) or ASIC (Application Specific Integrated Circuit) or other integrated circuit, a logic circuit, a digital signal processor, a programmable logic device such as a FPGA, PLD, PLA or PAL, or any other device or arrangement of devices that is capable of implementing the steps of the processes of the invention.
The processing machine used to implement the invention may utilize a suitable operating system. Thus, embodiments of the invention may include a processing machine running the iOS operating system, the OS X operating system, the Android operating system, the Microsoft Windows™ operating systems, the Unix operating system, the Linux operating system, the Xenix operating system, the IBM AIX™ operating system, the Hewlett-Packard UX™ operating system, the Novell Netware™ operating system, the Sun Microsystems Solaris™ operating system, the OS/2™ operating system, the BeOS™ operating system, the Macintosh operating system, the Apache operating system, an OpenStep™ operating system or another operating system or platform.
It is appreciated that in order to practice the method of the invention as described above, it is not necessary that the processors and/or the memories of the processing machine be physically located in the same geographical place. That is, each of the processors and the memories used by the processing machine may be located in geographically distinct locations and connected so as to communicate in any suitable manner. Additionally, it is appreciated that each of the processor and/or the memory may be composed of different physical pieces of equipment. Accordingly, it is not necessary that the processor be one single piece of equipment in one location and that the memory be another single piece of equipment in another location. That is, it is contemplated that the processor may be two pieces of equipment in two different physical locations. The two distinct pieces of equipment may be connected in any suitable manner. Additionally, the memory may include two or more portions of memory in two or more physical locations.
To explain further, processing, as described above, is performed by various components and various memories. However, it is appreciated that the processing performed by two distinct components as described above may, in accordance with a further embodiment of the invention, be performed by a single component. Further, the processing performed by one distinct component as described above may be performed by two distinct components. In a similar manner, the memory storage performed by two distinct memory portions as described above may, in accordance with a further embodiment of the invention, be performed by a single memory portion. Further, the memory storage performed by one distinct memory portion as described above may be performed by two memory portions.
Further, various technologies may be used to provide communication between the various processors and/or memories, as well as to allow the processors and/or the memories of the invention to communicate with any other entity; i.e., so as to obtain further instructions or to access and use remote memory stores, for example. Such technologies used to provide such communication might include a network, the Internet, Intranet, Extranet, LAN, an Ethernet, wireless communication via cell tower or satellite, or any client server system that provides communication, for example. Such communications technologies may use any suitable protocol such as TCP/IP, UDP, or OSI, for example.
As described above, a set of instructions may be used in the processing of the invention. The set of instructions may be in the form of a program or software. The software may be in the form of system software or application software, for example. The software might also be in the form of a collection of separate programs, a program module within a larger program, or a portion of a program module, for example. The software used might also include modular programming in the form of object oriented programming. The software tells the processing machine what to do with the data being processed.
Further, it is appreciated that the instructions or set of instructions used in the implementation and operation of the invention may be in a suitable form such that the processing machine may read the instructions. For example, the instructions that form a program may be in the form of a suitable programming language, which is converted to machine language or object code to allow the processor or processors to read the instructions. That is, written lines of programming code or source code, in a particular programming language, are converted to machine language using a compiler, assembler or interpreter. The machine language is binary coded machine instructions that are specific to a particular type of processing machine, i.e., to a particular type of computer, for example. The computer understands the machine language.
Any suitable programming language may be used in accordance with the various embodiments of the invention. Illustratively, the programming language used may include assembly language, Ada, APL, Basic, C, C++, COBOL, dBase, Forth, Fortran, Java, Modula-2, Pascal, Prolog, REXX, Visual Basic, and/or JavaScript, for example. Further, it is not necessary that a single type of instruction or single programming language be utilized in conjunction with the operation of the system and method of the invention. Rather, any number of different programming languages may be utilized as is necessary and/or desirable.
Also, the instructions and/or data used in the practice of the invention may utilize any compression or encryption technique or algorithm, as may be desired. An encryption module might be used to encrypt data. Further, files or other data may be decrypted using a suitable decryption module, for example.
As described above, the invention may illustratively be embodied in the form of a processing machine, including a computer or computer system, for example, that includes at least one memory. It is to be appreciated that the set of instructions, i.e., the software for example, that enables the computer operating system to perform the operations described above may be contained on any of a wide variety of media or medium, as desired. Further, the data that is processed by the set of instructions might also be contained on any of a wide variety of media or medium. That is, the particular medium, i.e., the memory in the processing machine, utilized to hold the set of instructions and/or the data used in the invention may take on any of a variety of physical forms or transmissions, for example. Illustratively, the medium may be in the form of paper, paper transparencies, a compact disk, a DVD, an integrated circuit, a hard disk, a floppy disk, an optical disk, a magnetic tape, a RAM, a ROM, a PROM, an EPROM, a wire, a cable, a fiber, a communications channel, a satellite transmission, a memory card, a SIM card, or other remote transmission, as well as any other medium or source of data that may be read by the processors of the invention.
Further, the memory or memories used in the processing machine that implements the invention may be in any of a wide variety of forms to allow the memory to hold instructions, data, or other information, as is desired. Thus, the memory might be in the form of a database to hold data. The database might use any desired arrangement of files such as a flat file arrangement or a relational database arrangement, for example.
In the system and method of the invention, a variety of “user interfaces” may be utilized to allow a user to interface with the processing machine or machines that are used to implement the invention. As used herein, a user interface includes any hardware, software, or combination of hardware and software used by the processing machine that allows a user to interact with the processing machine. A user interface may be in the form of a dialogue screen for example. A user interface may also include any of a mouse, touch screen, keyboard, keypad, voice reader, voice recognizer, dialogue screen, menu box, list, checkbox, toggle switch, a pushbutton or any other device that allows a user to receive information regarding the operation of the processing machine as it processes a set of instructions and/or provides the processing machine with information. Accordingly, the user interface is any device that provides communication between a user and a processing machine. The information provided by the user to the processing machine through the user interface may be in the form of a command, a selection of data, or some other input, for example.
As discussed above, a user interface is utilized by the processing machine that performs a set of instructions such that the processing machine processes data for a user. The user interface is typically used by the processing machine for interacting with a user either to convey information or receive information from the user. However, it should be appreciated that in accordance with some embodiments of the system and method of the invention, it is not necessary that a human user actually interact with a user interface used by the processing machine of the invention. Rather, it is also contemplated that the user interface of the invention might interact, i.e., convey and receive information, with another processing machine, rather than a human user. Accordingly, the other processing machine might be characterized as a user. Further, it is contemplated that a user interface utilized in the system and method of the invention may interact partially with another processing machine or processing machines, while also interacting partially with a human user.
It will be readily understood by those persons skilled in the art that the present invention is susceptible to broad utility and application. Many embodiments and adaptations of the present invention other than those herein described, as well as many variations, modifications and equivalent arrangements, will be apparent from or reasonably suggested by the present invention and foregoing description thereof, without departing from the substance or scope of the invention.
Accordingly, while the present invention has been described here in detail in relation to its exemplary embodiments, it is to be understood that this disclosure is only illustrative and exemplary of the present invention and is made to provide an enabling disclosure of the invention. Accordingly, the foregoing disclosure is not intended to be construed or to limit the present invention or otherwise to exclude any other such embodiments, adaptations, variations, modifications or equivalent arrangements.

Claims (17)

What is claimed is:
1. A method for distributed ledger-based software supply chain management comprising:
in an information processing apparatus comprising at least one computer processor:
receiving, from a software tool and over a message bus, a metadata artifact comprising at least one of an artifact name, an organization ID, a creation time, an artifact type, an artifact data, an artifact hash, a reference of hash, and a reference ID of the software tool, wherein the metadata artifact contains data for a software development lifecycle event including at least one of creating a requirement or a defect record in a planning system, committing a line
of code in a source code management tool, a software build, completion of a test or scan and a deployment to an end system;
writing the metadata artifact to a metadata store; and
updating a present state database with values for metadata keys referencing the metadata artifact in the metadata store.
2. The method of claim 1, wherein the metadata artifact refers to the software development lifecycle event.
3. The method of claim 1, wherein the software tool is part of a software lifecycle.
4. The method of claim 1, wherein the metadata artifact is encrypted, and the method further comprises decrypting the metadata artifact.
5. The method of claim 1, wherein the metadata store maintains an immutable record of the metadata artifact.
6. The method of claim 1, wherein the metadata store comprises a blockchain-based distributed ledger or a hashgraph.
7. The method of claim 1, wherein the metadata store comprises one of a stream processing service, a noSQL database, and a conventional relational database.
8. The method of claim 1, wherein the present state database comprises a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record.
9. A method for distributed ledger-based software supply chain management comprising:
in an information processing apparatus comprising at least one computer processor:
receiving a file of interest;
generating a hash of the file of interest, wherein the hash uniquely identifies the file of interest;
searching a present state database with the hash;
receiving a record from the present state database that matches the hash;
retrieving a block from a metadata store referenced by the record, wherein the metadata store includes a metadata artifact that contains data for a software development lifecycle event including at least one of creating a requirement or a defect record in a planning system, committing a line of code in a source code management tool, a software build, completion of a test or scan and a deployment to an end system; and
retrieving a file archive associated with the record.
10. The method of claim 9, wherein the metadata store maintains an immutable record of the metadata artifact.
11. The method of claim 9, wherein the metadata store comprises a blockchain-based distributed ledger or a hashgraph.
12. The method of claim 9, wherein the present state database comprises a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record.
13. The method of claim 9, further comprising:
providing the file archive to a downstream system.
14. The method of claim 9, wherein the file archive identifies a source of the file of interest.
15. The method of claim 9, wherein the file archive comprises source code for the file of interest.
16. A system for distributed ledger-based software supply chain management comprising:
a plurality of software development tools, each software development tool executed by a computer processor;
a controller executed by a computer processor;
a metadata store, wherein the metadata store maintains an immutable record of a plurality of metadata artifacts, wherein each metadata artifact comprises at least one of an artifact name, an organization ID, a creation time, an artifact type, an artifact data, an artifact hash, a reference of hash, and a reference ID of the software development tool, wherein the metadata artifact contains data for a software development lifecycle event including at least one of creating a requirement or a defect record in a planning system, committing a line of code in a source code management tool, a software build, completion of a test or scan and a deployment to an end system; and
a present state database comprising a key/value pair database, wherein each key is a value of stored metadata and references an underlying data source record;
wherein:
the controller receives a metadata artifact for a software development lifecycle event from one of the software development tools over a message bus;
the controller writes the metadata artifact to the metadata store; and
the controller updates the present state database with values for metadata keys referencing the metadata artifact in the metadata store.
17. The system of claim 16, wherein:
the controller receives a file of interest;
the controller generates a hash of the file of interest, wherein the hash uniquely identifies the file of interest;
the controller searches the present state database with the hash;
the controller retrieves a record from the present state database that matches the hash;
the controller retrieves a block from a metadata store referenced by the record; and
the controller retrieves a file archive associated with the record.
US16/513,114 2018-07-17 2019-07-16 System and method for distributed ledger-based software supply chain management Active US11106458B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/513,114 US11106458B2 (en) 2018-07-17 2019-07-16 System and method for distributed ledger-based software supply chain management

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201862699313P 2018-07-17 2018-07-17
US16/513,114 US11106458B2 (en) 2018-07-17 2019-07-16 System and method for distributed ledger-based software supply chain management

Publications (2)

Publication Number Publication Date
US20200026510A1 US20200026510A1 (en) 2020-01-23
US11106458B2 true US11106458B2 (en) 2021-08-31

Family

ID=69161281

Family Applications (1)

Application Number Title Priority Date Filing Date
US16/513,114 Active US11106458B2 (en) 2018-07-17 2019-07-16 System and method for distributed ledger-based software supply chain management

Country Status (3)

Country Link
US (1) US11106458B2 (en)
GB (1) GB2590327B (en)
WO (1) WO2020018523A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210073289A1 (en) * 2019-09-06 2021-03-11 Digital Asset Capital, Inc. Event-based entity scoring in distributed systems
US20220108005A1 (en) * 2021-12-15 2022-04-07 Intel Corporation Protecting software supply chain using secure log generated in a trusted build environment
US11443047B2 (en) * 2020-04-20 2022-09-13 Mastercard International Incorporated Systems and methods for use in validating artifacts for deployment
US11544045B2 (en) * 2020-12-07 2023-01-03 Coinbase, Inc. Automatic smart contract analysis

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210089297A1 (en) * 2019-09-20 2021-03-25 Sungard Availability Services, Lp Automated check for ticket status of merged code
US20210173826A1 (en) * 2019-12-05 2021-06-10 Vivsoft Technologies LLC System and methods for securing software chain of custody
US12099997B1 (en) 2020-01-31 2024-09-24 Steven Mark Hoffberg Tokenized fungible liabilities
US11558173B2 (en) 2020-03-20 2023-01-17 Mastercard International Incorporated Method and system for auditing smart contracts
US11249750B2 (en) 2020-06-23 2022-02-15 Bank Of America Corporation Implementing a distributed register to verify the stability of an application server environment for software development and testing
US11726773B2 (en) 2021-05-19 2023-08-15 Micro Focus Llc Software supply chain quality control evaluation using blockchain
US11789617B2 (en) * 2021-06-29 2023-10-17 Acronis International Gmbh Integration of hashgraph and erasure coding for data integrity
US11875288B2 (en) * 2021-12-03 2024-01-16 International Business Machines Corporation Discovering and using application deployment dependencies to augment governance and compliance policy

Citations (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7003560B1 (en) * 1999-11-03 2006-02-21 Accenture Llp Data warehouse computing system
US20080082517A1 (en) * 2006-08-29 2008-04-03 Sap Ag Change assistant
US20080092107A1 (en) * 2006-09-27 2008-04-17 Mcwilliam Joshua Software Development and Sales Life-Cycle Services
US20150347119A1 (en) * 2014-06-02 2015-12-03 Qiushi WANG Automatic deployment and update of hybrid applications
US20150379510A1 (en) * 2012-07-10 2015-12-31 Stanley Benjamin Smith Method and system to use a block chain infrastructure and Smart Contracts to monetize data transactions involving changes to data included into a data supply chain.
US20160260169A1 (en) * 2015-03-05 2016-09-08 Goldman, Sachs & Co. Systems and methods for updating a distributed ledger based on partial validations of transactions
US20160292672A1 (en) * 2015-03-31 2016-10-06 Nasdaq, Inc. Systems and methods of blockchain transaction recordation
WO2017027648A1 (en) 2015-08-11 2017-02-16 Jeff Stollman System and methods to ensure asset and supply chain integrity
US20170287090A1 (en) * 2016-03-31 2017-10-05 Clause, Inc. System and method for creating and executing data-driven legal contracts
US20170366353A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Generation of hash values within a blockchain
US20170364700A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Immutable logging of access requests to distributed file systems
US20170364701A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Storing differentials of files in a distributed blockchain
US20170364698A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Fragmenting data for the purposes of persistent storage across multiple immutable data structures
US20170364450A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Immutable datastore for low-latency reading and writing of large data sets
US20170364699A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Transparent client application to arbitrate data storage between mutable and immutable data repositories
US20180205552A1 (en) * 2015-06-02 2018-07-19 ALTR Solutions, Inc. Utilizing a tree-structure to segment and distribute files across a series of blockchains
US20180278582A1 (en) * 2017-03-23 2018-09-27 International Business Machines Corporation Digital media content distribution blocking
US20180307857A1 (en) * 2015-06-02 2018-10-25 ALTR Solution, Inc. Replacing distinct data in a relational database with a distinct reference to that data and distinct de-referencing of database data
US20180341648A1 (en) * 2016-02-03 2018-11-29 Luther Systems System and method for secure management of digital contracts
US20180375888A1 (en) * 2015-12-15 2018-12-27 Flying Cloud Technologies, Inc. Data Surveillance System with Contextual Information
US20190121669A1 (en) * 2017-10-20 2019-04-25 American Express Travel Related Services Company, Inc. Executing tasks using modular and intelligent code and data containers
US20190129893A1 (en) * 2017-11-01 2019-05-02 Swirlds, Inc. Methods and apparatus for efficiently implementing a fast-copyable database
US20190132350A1 (en) * 2017-10-30 2019-05-02 Pricewaterhousecoopers Llp System and method for validation of distributed data storage systems
US20190163912A1 (en) * 2017-11-30 2019-05-30 Mocana Corporation System and method for recording device lifecycle transactions as versioned blocks in a blockchain network using a transaction connector and broker service
US20190172073A1 (en) * 2012-09-28 2019-06-06 Rex Wiig System and method of a requirement, active compliance and resource management for cyber security application
US20190230129A1 (en) * 2018-01-23 2019-07-25 CYBRIC Inc. Monitoring & reporting enterprise level cybersecurity remediation
US20190229915A1 (en) * 2018-01-23 2019-07-25 CYBRIC Inc. Trusted verification of cybersecurity remediation
US20190279321A1 (en) * 2018-03-12 2019-09-12 IdeaBlock LLC Proof of public idea disclosure using blockchain
US20190303579A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Decentralized, immutable, tamper-evident, directed acyclic graphs documenting software supply-chains with cryptographically signed records of software-development life cycle state and cryptographic digests of executable code
US20190303623A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Promotion smart contracts for software development processes
US20190303541A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Auditing smart contracts configured to manage and document software audits
US20190305957A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Execution smart contracts configured to establish trustworthiness of code before execution
US20190305959A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Announcement smart contracts to announce software release
US20190306173A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Alert smart contracts configured to manage and respond to alerts related to code
US20190317756A1 (en) * 2018-04-11 2019-10-17 Walmart Apollo, Llc Software artifact management systems and methods
US20190385229A1 (en) * 2018-03-02 2019-12-19 Shane Michael Leonard Methods and apparatus for ingestion of legacy records into a mortgage servicing blockchain
US20190394243A1 (en) * 2012-09-28 2019-12-26 Rex Wiig System and method of a requirement, active compliance and resource management for cyber security application
US20190394242A1 (en) * 2012-09-28 2019-12-26 Rex Wig System and method of a requirement, active compliance and resource management for cyber security application
US20200007513A1 (en) * 2018-06-29 2020-01-02 Arm Ip Limited Blockchain infrastructure for securing and/or managing electronic artifacts
US20200076571A1 (en) * 2018-08-29 2020-03-05 International Business Machines Corporation Checkpointing for increasing efficiency of a blockchain
US20200204574A1 (en) * 2015-12-15 2020-06-25 Flying Cloud Technologies, Inc. Data Surveillance for Privileged Assets based on Threat Streams
US10789590B2 (en) * 2016-05-02 2020-09-29 Bao Tran Blockchain

Patent Citations (43)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7003560B1 (en) * 1999-11-03 2006-02-21 Accenture Llp Data warehouse computing system
US20080082517A1 (en) * 2006-08-29 2008-04-03 Sap Ag Change assistant
US20080092107A1 (en) * 2006-09-27 2008-04-17 Mcwilliam Joshua Software Development and Sales Life-Cycle Services
US20150379510A1 (en) * 2012-07-10 2015-12-31 Stanley Benjamin Smith Method and system to use a block chain infrastructure and Smart Contracts to monetize data transactions involving changes to data included into a data supply chain.
US20190394243A1 (en) * 2012-09-28 2019-12-26 Rex Wiig System and method of a requirement, active compliance and resource management for cyber security application
US20190172073A1 (en) * 2012-09-28 2019-06-06 Rex Wiig System and method of a requirement, active compliance and resource management for cyber security application
US20190394242A1 (en) * 2012-09-28 2019-12-26 Rex Wig System and method of a requirement, active compliance and resource management for cyber security application
US20150347119A1 (en) * 2014-06-02 2015-12-03 Qiushi WANG Automatic deployment and update of hybrid applications
US20160260169A1 (en) * 2015-03-05 2016-09-08 Goldman, Sachs & Co. Systems and methods for updating a distributed ledger based on partial validations of transactions
US20160292672A1 (en) * 2015-03-31 2016-10-06 Nasdaq, Inc. Systems and methods of blockchain transaction recordation
US20170364698A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Fragmenting data for the purposes of persistent storage across multiple immutable data structures
US20180307857A1 (en) * 2015-06-02 2018-10-25 ALTR Solution, Inc. Replacing distinct data in a relational database with a distinct reference to that data and distinct de-referencing of database data
US20170364700A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Immutable logging of access requests to distributed file systems
US20170364450A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Immutable datastore for low-latency reading and writing of large data sets
US20170364699A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Transparent client application to arbitrate data storage between mutable and immutable data repositories
US20180205552A1 (en) * 2015-06-02 2018-07-19 ALTR Solutions, Inc. Utilizing a tree-structure to segment and distribute files across a series of blockchains
US20170366353A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Generation of hash values within a blockchain
US20170364701A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Storing differentials of files in a distributed blockchain
WO2017027648A1 (en) 2015-08-11 2017-02-16 Jeff Stollman System and methods to ensure asset and supply chain integrity
US20180375888A1 (en) * 2015-12-15 2018-12-27 Flying Cloud Technologies, Inc. Data Surveillance System with Contextual Information
US20200204574A1 (en) * 2015-12-15 2020-06-25 Flying Cloud Technologies, Inc. Data Surveillance for Privileged Assets based on Threat Streams
US20180341648A1 (en) * 2016-02-03 2018-11-29 Luther Systems System and method for secure management of digital contracts
US20170287090A1 (en) * 2016-03-31 2017-10-05 Clause, Inc. System and method for creating and executing data-driven legal contracts
US10789590B2 (en) * 2016-05-02 2020-09-29 Bao Tran Blockchain
US20180278582A1 (en) * 2017-03-23 2018-09-27 International Business Machines Corporation Digital media content distribution blocking
US20190121669A1 (en) * 2017-10-20 2019-04-25 American Express Travel Related Services Company, Inc. Executing tasks using modular and intelligent code and data containers
US20190132350A1 (en) * 2017-10-30 2019-05-02 Pricewaterhousecoopers Llp System and method for validation of distributed data storage systems
US20190129893A1 (en) * 2017-11-01 2019-05-02 Swirlds, Inc. Methods and apparatus for efficiently implementing a fast-copyable database
US20190163912A1 (en) * 2017-11-30 2019-05-30 Mocana Corporation System and method for recording device lifecycle transactions as versioned blocks in a blockchain network using a transaction connector and broker service
US20190229915A1 (en) * 2018-01-23 2019-07-25 CYBRIC Inc. Trusted verification of cybersecurity remediation
US20190230129A1 (en) * 2018-01-23 2019-07-25 CYBRIC Inc. Monitoring & reporting enterprise level cybersecurity remediation
US10565644B2 (en) * 2018-03-02 2020-02-18 Ranieri Ip, Llc Methods and apparatus for ingestion of legacy records into a mortgage servicing blockchain
US20190385229A1 (en) * 2018-03-02 2019-12-19 Shane Michael Leonard Methods and apparatus for ingestion of legacy records into a mortgage servicing blockchain
US20190279321A1 (en) * 2018-03-12 2019-09-12 IdeaBlock LLC Proof of public idea disclosure using blockchain
US20190303623A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Promotion smart contracts for software development processes
US20190306173A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Alert smart contracts configured to manage and respond to alerts related to code
US20190305959A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Announcement smart contracts to announce software release
US20190305957A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Execution smart contracts configured to establish trustworthiness of code before execution
US20190303541A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Auditing smart contracts configured to manage and document software audits
US20190303579A1 (en) * 2018-04-02 2019-10-03 Ca, Inc. Decentralized, immutable, tamper-evident, directed acyclic graphs documenting software supply-chains with cryptographically signed records of software-development life cycle state and cryptographic digests of executable code
US20190317756A1 (en) * 2018-04-11 2019-10-17 Walmart Apollo, Llc Software artifact management systems and methods
US20200007513A1 (en) * 2018-06-29 2020-01-02 Arm Ip Limited Blockchain infrastructure for securing and/or managing electronic artifacts
US20200076571A1 (en) * 2018-08-29 2020-03-05 International Business Machines Corporation Checkpointing for increasing efficiency of a blockchain

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
International Search Report, dated Nov. 13, 2019, from corresponding International Application No. PCT/US2019/041982.
Valentina Lenarsuzzi et al., Blockchain application for Agile methodologies, May 21-25, 2018, [Retrieved on Mar. 10, 2021]. Retrieved from the internet: <URL: https://dl.acm.org/doi/pdf/10.1145/3234152.3234155> 3 Pages (1-3) (Year: 2018). *
Written Opinion of the International Searching Authority, dated Nov. 13, 2019, from corresponding International Application No. PCT/US2019/041982.

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210073289A1 (en) * 2019-09-06 2021-03-11 Digital Asset Capital, Inc. Event-based entity scoring in distributed systems
US11526333B2 (en) 2019-09-06 2022-12-13 Digital Asset Capital, Inc. Graph outcome determination in domain-specific execution environment
US11443047B2 (en) * 2020-04-20 2022-09-13 Mastercard International Incorporated Systems and methods for use in validating artifacts for deployment
US11544045B2 (en) * 2020-12-07 2023-01-03 Coinbase, Inc. Automatic smart contract analysis
US20220108005A1 (en) * 2021-12-15 2022-04-07 Intel Corporation Protecting software supply chain using secure log generated in a trusted build environment

Also Published As

Publication number Publication date
GB202102383D0 (en) 2021-04-07
GB2590327B (en) 2023-02-08
US20200026510A1 (en) 2020-01-23
WO2020018523A1 (en) 2020-01-23
GB2590327A (en) 2021-06-23

Similar Documents

Publication Publication Date Title
US11106458B2 (en) System and method for distributed ledger-based software supply chain management
US11281751B2 (en) Digital asset traceability and assurance using a distributed ledger
US10621360B2 (en) Amalgamating code vulnerabilities across projects
US9904614B2 (en) Source code inspection and verification
US9940114B2 (en) Seal-based regulation for software deployment management
US11550568B1 (en) Automatically deploying artifacts
US11947505B2 (en) Systems and methods for tracking data lineage and record lifecycle using distributed ledgers
US20140250306A1 (en) Decision service manager
US11328065B1 (en) Architectures, systems, and methods for building trusted and secure artifacts
EP2667301B1 (en) Decision service manager
Annett Working with Legacy Systems: A practical guide to looking after and maintaining the systems we inherit
US11722324B2 (en) Secure and accountable execution of robotic process automation
Nadgowda et al. tapiserí: Blueprint to modernize DevSecOps for real world
van Merode Requirements Analysis
Day DevOps DevOps
US11042536B1 (en) Systems and methods for automated data visualization
Pinho DevOps approach to measure product quality and developers? Efficiency
van Merode Continuous Integration (CI) and Continuous Delivery (CD)
Bryce et al. Code Distribution Process-Definition of Evaluation Metrics
Bogoda Applicability of agent technology for software release management
PEKNÍK DEPLOYMENT OF NEW VERSIONS OF GNOME PROJECT

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

AS Assignment

Owner name: JPMORGAN CHASE BANK, N.A., NEW YORK

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KEITH, ROBERT FALCONER;TIWARI, ASHISH;SIGNING DATES FROM 20210219 TO 20210221;REEL/FRAME:055383/0413

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STCF Information on status: patent grant

Free format text: PATENTED CASE